Nginx vs Caddy vs Traefik vs HAProxy for Self-Hosting
Benchmarks are the wrong question below 100 connections. How the four homelab reverse proxies actually feel to run — config styles, TLS automation, Docker workflows — with the same service configured in each.
Every reverse-proxy comparison opens with benchmarks, and for a homelab they are answering the wrong question. Below roughly 100 concurrent connections — which describes nearly every self-hosted setup on earth — all four of these proxies are effectively identical in speed. The differences that will actually shape your next two years are: how the config is maintained, what happens when certificates renew, and how the tool behaves when Docker containers come and go.
TL;DR — in 30 seconds
- Caddy if you want HTTPS you never think about and your services rarely change.
- Traefik if your homelab is Docker Compose files and services appear weekly.
- Nginx if you already know it or need its enormous ecosystem — via Nginx Proxy Manager if you want clicks instead of configs.
- HAProxy only when you genuinely need its load-balancing depth — most homelabs never do.
- Performance is a tie at homelab scale. Pick by workflow, not by benchmark.
The four contenders in one table
| Nginx | Caddy | Traefik | HAProxy | |
|---|---|---|---|---|
| Config style | Static files, verbose | One tiny Caddyfile | Docker labels / dynamic | Static file, dense |
| Automatic HTTPS | No (certbot bolt-on) | Built-in, zero config | Built-in (ACME) | No (external tooling) |
| Docker awareness | None native | Limited | Native — watches the socket | None native |
| Learning curve | Moderate | Lowest (as code) | Steepest mental model | Steep |
| Sweet spot | Known quantity, huge ecosystem | Fixed set of services | Services that come and go | Serious load balancing |
How each one actually feels to run
Nginx — the default that makes you earn it
Nginx is the proxy your tutorials assume. The ecosystem is unmatched and almost every self-hosted app documents an nginx snippet — when something breaks at an odd hour, the error message you paste into a search box has been seen ten thousand times before, and that familiarity is worth real money in debugging time. The cost: certificates are your problem (certbot plus a renewal timer you must remember exists), and configuration is spread across verbose server blocks you will forget the shape of between edits. Reloads are graceful but manual, and a typo in one site's block can refuse the whole config.
Nginx Proxy Manager (NPM) wraps all of this in a web UI — certificates, hosts, and access lists become forms and toggles. For beginners who want Jellyfin and Vaultwarden behind HTTPS today, NPM remains the friendliest on-ramp in 2026. Its limitation appears later: the moment you need something the UI does not expose, you are editing nginx configs anyway, now inside someone else's container layout.
Caddy — HTTPS you never think about
Caddy's entire pitch fits in its config file:
jellyfin.example.com {
reverse_proxy 192.168.1.20:8096
}
That is a complete, production-grade config — TLS certificate acquisition, renewal, HTTP→HTTPS redirect, and proxying included. Nothing else in this list comes close for config-to-result ratio. The tradeoff: a smaller plugin ecosystem, and deeply custom routing eventually gets less elegant than nginx.
Traefik — built for Docker churn
Traefik inverts the model: instead of a central config file, each container announces itself via labels, and Traefik notices new services by watching the Docker socket. Add a container, add three labels, and it is routed with TLS — no proxy restart, no central file edit. The price is the steepest initial mental model of the four (entrypoints, routers, services, providers). It pays off precisely when services change often.
HAProxy — the specialist
HAProxy leads the raw-throughput charts and offers load-balancing depth the others cannot match: fine-grained ACLs, sticky sessions, health checks with configurable thresholds, and a live stats dashboard that makes traffic visible in a way the others only approximate through logs. Operations teams run it at the front of some of the largest sites on the internet.
In a homelab, nearly all of that power is idle. There is no TLS automation — you bring your own certificate tooling — and the config format is the densest of the four, with its own vocabulary of frontends, backends, and ACLs. Pick it when you are genuinely load-balancing multiple backends; otherwise you are maintaining the hardest config for capabilities you never invoke.
The same service in each config
The clearest comparison is one identical job — jellyfin.example.com to a container on port 8096 — expressed three ways. Caddy, from above, is 3 lines. Traefik does it in Compose labels:
services:
jellyfin:
image: jellyfin/jellyfin
labels:
- traefik.enable=true
- traefik.http.routers.jellyfin.rule=Host(`jellyfin.example.com`)
- traefik.http.routers.jellyfin.tls.certresolver=letsencrypt
- traefik.http.services.jellyfin.loadbalancer.server.port=8096
And nginx, before certbot has had its say:
server {
listen 443 ssl;
server_name jellyfin.example.com;
ssl_certificate /etc/letsencrypt/live/jellyfin.example.com/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/jellyfin.example.com/privkey.pem;
location / {
proxy_pass http://192.168.1.20:8096;
proxy_set_header Host $host;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
}
}
Running a Proxmox homelab with a stack of containerized services myself, this maintenance-shape difference is the entire decision: the nginx block is fine the day you write it — the question is how it feels when you meet it again in eight months, multiplied by a dozen services.
Tip
Whichever you choose, keep the proxy itself in a container with its config in the same Git repo as your Compose files. Future-you debugging a 2 a.m. certificate issue will thank present-you for the version history.
Decision table — pick by situation, not benchmark
| Your situation | Pick |
|---|---|
| First reverse proxy ever, want a UI | Nginx Proxy Manager |
| Comfortable with config files, services rarely change | Caddy |
| Everything is Docker Compose, services change weekly | Traefik |
| Following nginx-based tutorials, big custom routing needs | Nginx |
| Load-balancing multiple backends, need ACLs/stats | HAProxy |
| Torn between Caddy and Traefik | Caddy first — migrating later is cheap |
Note
Switching proxies is a smaller commitment than it feels: the services behind the proxy do not change, DNS does not change, and translating a dozen services is an afternoon. Do not let choice paralysis stop the homelab.
One honest addition: if your services are only reached from inside your own network — or through a mesh like Tailscale or a tunnel service — you may not need a classic edge proxy at all. The four tools above earn their keep the moment you expose services to the open internet under your own domains; before that point, the simplest thing that works is a legitimate choice too.
More self-hosting guides live in our self-hosting & privacy section, practical fixes in how-to & troubleshooting, and the broader tech pillar.
FAQ
Is Caddy better than Nginx Proxy Manager?
Different audiences: NPM gives you a web UI on top of nginx — clicks, not configs. Caddy gives you the shortest possible text config. UI people pick NPM; config-file people pick Caddy and get cleaner TLS automation.
Can I run two reverse proxies at once?
Yes — common during migrations: one proxy owns ports 80/443 and forwards specific hosts to the second. Long-term, one proxy should own the edge to keep certificate handling sane.
Does reverse proxy performance matter in a homelab?
Below ~100 concurrent connections, no — all four are far faster than anything a home connection or a handful of users can generate. Optimize for maintainability instead.
How hard is switching from Nginx to Caddy?
Each nginx server block usually collapses into 2–4 Caddyfile lines. A dozen services is an afternoon, including testing. The hardest part is trusting that the certificate handling really is automatic.
Comparison reflects the 2026 state of Nginx, Caddy 2.x, Traefik v3, HAProxy, and Nginx Proxy Manager for self-hosted use. Config examples are minimal working patterns — adapt hostnames, ports, and cert resolvers to your setup.
Stay in the loop
Get the latest articles delivered to your inbox. No spam, unsubscribe anytime.
GKV or PKV in Germany? The 2026 Decision Framework
The GKV-vs-PKV choice is 20% money, 80% reversibility. A step-by-step framework: who can even choose, the three factors that decide it, situation-by-situation verdicts, and the doors back — including the over-55 exceptions.
Continue Reading